Database access control method, database access controller, agent processing server, database access control program, and medium recording the program

ABSTRACT

A disclosed database access control apparatus generates and stores an access key based on a user ID of a user apparatus. Then, the database access control apparatus sends the access key to the user apparatus with an address of a proxy process server apparatus. The user apparatus sends the access key to the proxy process server apparatus when making a database access request, ad the proxy process server apparatus sends the access key to the database access control apparatus when making a database process request. When receiving the database process request, the database access control apparatus determines whether an access key the same as the access key received from the proxy process server apparatus is stored in the database access control apparatus, and accesses the database only if having the access key.

TECHNICAL FIELD

The present invention relates to an access control technology fordatabases. More particularly, the present invention relates to adatabase access control technology for accessing a database throughcooperation between a database access control apparatus and a proxyprocess server apparatus as a proxy of a user.

BACKGROUND ART

Generally, since a database stores data of plural users, an accesscontrol mechanism of the database controls which user can register,refer to, update or delete which piece of data. In the following,registration, reference, update and delete are collectively referred toas “access to a database”. For example, in the access control mechanism,access control is performed such that a user B cannot access data of auser A and the user A cannot access data of the user B.

As an access control method of the database, there is a previously knownmethod in which a user who tries to access data is identified bycomparing authentication information such as a pair of a user ID and apassword that are passed to the database by the user with authenticationinformation registered beforehand in the access control mechanism of thedatabase, and next, whether to give permission to access each piece ofdata is determined based on an access control list in which accessibledata are set for the identified user.

This is a method that is used in many existing databases. In SQL 92 thatis a standard language for accessing databases, a grant sentence and arevoke sentence are defined for adding and deleting access authorityinformation in the access control list so as to add or cancel accessauthority to data for a user.

The above-mentioned access control method is applied to a case in whichonly users who store data in the database access the database. On theother hand, as an example different from that, there is a method inwhich a proxy agent (a proxy process server) instead of a user whostores data in the database accesses the database. This method isperformed by the user requesting the proxy agent to access the database.This method is performed in a case, for example, where the proxy agentprovides a function for processing data, and the user has the proxyagent process data stored in the database so that the user receives aprocess result.

A matter that should be considered when the proxy agent as a proxy ofthe user accesses the database is that the proxy agent should access thedatabase based on access authority of the user who is a client. Forexample, when a user A requests a proxy agent to access a database,access control should be performed such that the proxy agent can onlyaccess data which the user A is permitted to access. That is, thereshould not be a case where, in spite of a request by the user A, theproxy agent accesses data of the user B that are not permitted to beaccessed by the user A and returns the data to the user A. An event inwhich a proxy agent accesses a database based on access authority of aclient user is called a transfer of access authority from the user tothe proxy agent.

As the simplest one of the access control methods that satisfies theabove-mentioned condition, there is a method in which a user passes ownauthentication information such as a user ID and a password to a proxyagent for accessing a database so that the proxy agent accesses thedatabase with the authentication information to obtain data of the user.

Another method uses digital signature technology and encryptedcommunication technology for determining whether a transfer of accessauthority to the proxy agent by the user is valid by using a digitalcertificate, a digital signature, encryption and a unidirectionalfunction (for example, refer to document 1: Japanese Laid-Open PatentApplication No. 2001-101054; document 2: Japanese Laid-Open PatentApplication No. 2002-163235).

However, there is the following problem in the method in which the userpasses the own authentication information to a proxy agent and the proxyagent accesses a database by using the authentication information.Generally, the proxy agent is an entity of a third party different fromthe user; thus, the user cannot necessarily trust the proxy agent.Therefore, for example, if a user A passes authentication informationsuch as a user ID and a password to the proxy agent, there is apossibility that the proxy agent will perform a malicious process inwhich the proxy agent holds the authentication information in itsinside, so that the proxy agent disguises itself as the user A by usingthe held authentication information when a user B, which is anotheruser, accesses the database so as to allow the user B to access the dataof the user A that the user B is not permitted to access.

In addition, in the method for determining the transfer of the accessauthority and the like by using digital signature technology andencryption communication technology, it is necessary to performcomplicated processes such as producing the digital certificate,producing the digital signature, encryption and the unidirectionalfunction. In addition, it is necessary to perform several steps ofexchanging key information and authentication information and the likebetween the user, the proxy agent and the database. In addition, thesemethods are used only for a system for transferring access authority,and even though the method is used, it is not ensured that a result ofaccessing the database based on the transferred access authority isreturned with reliability to the user who has transferred the accessauthority. Therefore, this method is not appropriate for applying to theproxy agent that the user requests to access a database.

DISCLOSURE OF THE INVENTION PROBLEM TO BE SOLVED BY THE INVENTION

The present invention is contrived to solve the above-mentioned problem,and an object of the present invention is to provide a mechanism forpreventing a proxy agent (a proxy process server) from performing anunauthorized access to a database or to a function corresponding to adatabase.

MEANS FOR SOLVING THE PROBLEM

In the present invention, a database access control apparatus sends anaddress of a usable proxy process server apparatus to a user apparatusin response to a request from the user apparatus. The user apparatusconnects to the proxy process server apparatus of the address to make adatabase access request, and the proxy process server apparatus makesthe database process request to the database access control apparatusaccording to the database access request from the user apparatus. Thedatabase access control apparatus performs a process on a database inresponse to the database process request from the proxy process serverapparatus, and sends the process result to the proxy process severapparatus. The proxy process server apparatus performs a requestedprocess on the process result sent from the database access controlapparatus, and sends a process result to the user apparatus.

In addition, in the present invention, the database access controlapparatus generates an access key based on a user ID of the userapparatus, stores the access key in a storing part of the databaseaccess control apparatus and sends the access key to the user apparatus.The user apparatus sends the access key to the proxy process serverapparatus when making the database access request to the proxy processserver apparatus, and the proxy process server apparatus sends theaccess key to the database access control apparatus when making thedatabase process request of the database access control apparatus. Thedatabase access control apparatus determines whether an access key thesame as the access key received from the proxy process server apparatusexists in the storing part, and executes an access to data in thedatabase within a limit permitted for the user ID corresponding to theaccess key only if the access key exists in the storing part.

In addition, in the present invention, the database access controlapparatus determines whether the user apparatus is in a state ofconnecting to the proxy process server apparatus in addition toperforming determination of the access key, and performs the access tothe data in the database only if the user apparatus is in a state ofconnecting to the proxy process server apparatus.

In the above-mentioned configurations, the database process requestmeans a request for a process such as data registration, change, deleteor search to a database.

EFFECT OF THE INVENTION

According to the present invention, a proxy process server apparatusthat is not provided with a proxy process permission cannot execute adatabase access process, and even a proxy process server apparatus thatis provided with a proxy process permission cannot perform a processsuch as data registration, change, delete or search on a databaseexceeding the authority of the user ID that requested a proxy process.

In addition, the proxy process server apparatus is prevented fromperforming a database search process by itself without receiving asearch proxy process request from a user apparatus.. Therefore, a userof the proxy process server apparatus can use the proxy process serverapparatus for performing a process for searching a database andprocessing the search result, without worrying about invalid acts beingperformed. Accordingly, the user can use various proxy process serverapparatuses that perform useful processes provided by third parties.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of a whole system to which the presentinvention is applied.

FIG. 2 is a schematic diagram showing an example of stored data in adatabase.

FIG. 3 is a sequence diagram of a process sequence of an embodiment ofthe present invention.

FIG. 4 is a schematic diagram for showing liaison between apparatuses inan embodiment of the present invention.

DESCRIPTION OF SYMBOLS

100 data base access control apparatus

101 mediation process part

102 access process part

200 database

210 user data part

220 user system data part

230 stored data part

300 proxy process server apparatus

400 user apparatus

500 network

PREFERRED EMBODIMENTS FOR CARRYING OUT THE INVENTION

In the following, embodiments of the present invention are describedwith reference to figures in more detail.

Embodiment 1

FIG. 1 shows a block diagram of a whole system to which the presentinvention is applied. In FIG. 1, 100 indicates a database access controlapparatus, 200 indicates a database shared by plural users, 300indicates a proxy process server apparatus, 400 indicates userapparatuses of each user, and 500 indicates a network such as theInternet. The database access control apparatus 100 includes a mediationprocess part 101 having a mediation function between the user apparatus400 and the proxy process server apparatus 300, and an access processpart 102 having an access function to access stored data of the database200.

The database 200 holds beforehand information on users such asregistered user IDs and authentication information, information on theproxy process server apparatuses 300 and stored data that the systemprovides. In addition, although not shown in FIG. 1, the database 200includes an access control mechanism in the inside. The database accesscontrol apparatus 100 and the database 200 may be connected directly orvia a network.

In the following, a case for obtaining a search result of data from thedatabase apparatus via the proxy process server apparatus is described.Other than data search that is described in the following, the presentinvention can be applied to various processes such as data registration,update, delete, search and the like.

The database access control apparatus 100, the proxy process serverapparatus 300 and the user apparatus 400 are connected via the network500. The actual entity of each of the database access control apparatus100 and the proxy process server apparatus 300 is a computer thatperforms each process by a program under an environment of hardwareresources such as a CPU, a memory and the like. In this embodiment, thedatabase access control apparatus 100 and the proxy process serverapparatus 300 operate in cooperation with each other as a proxy of auser so that access to the database 200 is performed, a desired processis performed on read stored data, and the result is sent to a userapparatus 400 of the user.

FIG. 2 is an example of stored data in the database 200. The database200 includes a user data part 210, a user system data part 220, and astored data part 230. The user data part 210 is for storing informationon registered users. The user data part 210 stores, for each user, auser ID 211, authentication information 212, user authority information213, session information 214, a proxy server list 215, and an ID of eachconnecting proxy process sever 216. The user system data part 220 is forstoring information of a system that acts as a proxy of a user. In thisembodiment, the user system data part 220 stores an ID (proxy processserver ID) 221 of the proxy process server apparatus 300, and the URL(proxy process server URL) 222. The stored data part 230 stores data 231and viewing availability authority information 232 of the data.

FIG. 3 shows a sequence example of whole processes of the presentembodiment. In addition, FIG. 4 shows liaison between apparatuses. Byreferring to FIGS. 3 and 4, in the following, an example is described inwhich HTTP is used as a protocol for connecting three parties that arethe user apparatus 400, the database access control apparatus 100 andthe proxy process server apparatus 300.

First, from a user apparatus 400, a user logs in to the database accesscontrol apparatus 100 by using a user ID 211 stored in the user datapart 210 of the database 200 beforehand (step 1). At this time, themediation process part 101 of the database access control apparatus 100performs an authentication process by using the authenticationinformation of each user 212 stored in the user data part 210 of thesame database 200. Accordingly, the mediation process part 101 of thedatabase access control apparatus 100 determines whether the user whotries to log in is a valid user who has registered beforehand, and sendsan authentication result to the user apparatus 400 (step 2).

Next, the user apparatus 400 sends a command to the database accesscontrol apparatus 100 for requesting a list of proxy process serverapparatuses that the user can use (step 3). The mediation process part101 of the database access control apparatus 100 that receives thecommand reads the list 215 of the proxy process sever apparatuses 300that the user can use from the user data part 210 of the database 200,and sends the list to the user apparatus 400 (step 4). The userapparatus 400 displays the received proxy process sever list on ascreen. When a proxy process server apparatus 300 to be used is selectedby the user from among the usable proxy process servers that aredisplayed, the user apparatus 400 sends the result to the databaseaccess control apparatus 100 (step 5). The user apparatus 400 also sendsinformation necessary for processes (database access and the like) inthe proxy process server 300 on the basis of the input by the user instep 5.

When the mediation process part 101 of the database access controlapparatus 100 receives information of the selected proxy process serverapparatus 300 from the user apparatus 400, the mediation process part101 searches the list 215 of proxy process server apparatuses 300 thatcan be used by the user in the user data 210 of the database 200 so asto determine whether use of the selected proxy process server apparatus300 by the user is permitted. After that, the mediation process part 101generates a random number (session information) based on the user ID,generates a Cookie (access key) from the generated session informationand sends it to the user apparatus 400 of the user (step 6), obtains aURL 222 of the selected proxy process server apparatus 300 from the usersystem data part 220 of the database 200, and sends the URL 222 to theuser apparatus, so as to instruct the user apparatus 400 to perform aredirect connection to the proxy process server apparatus by a HTTPredirect response (step 7). In addition, the mediation process part 101stores the generated session information and an ID number 216 of theproxy process server apparatus 300 to be connected in the user data part210 of the database 200.

When the user apparatus 400 performs the redirect connection to theproxy process server apparatus 300, the user apparatus 400 sends a valueof the Cookie received from the database access control apparatus 100 tothe proxy process server apparatus 300 (step 8).

The proxy process server apparatus 300 extracts the value of the Cookieincluded in a connection request that is a HTTP request from the userapparatus 400. Then, the proxy process server apparatus 300 sends a HTTPrequest (database search request) to the database access controlapparatus 100 by using a value for designating a table of stored datanecessary for performing processes directed by the user and a value usedfor search as arguments of the HTTP request (step 9). In addition, withthe database search request, an ID of the proxy process server apparatus300 is sent to the database access control apparatus 100.

The mediation process part 101 of the database access control apparatus100 that receives the HTTP request (database search request) from theproxy process server apparatus 300 first extracts the arguments set inthe request. Then, the mediation process part 101 extracts sessioninformation in the value of the Cookie in the augments, and identifies auser ID of the user apparatus 400 that has originated the HTTP requestto the proxy process server apparatus 300 by comparing the extractedsession information and session information 214 in the user data part210 of the database 200 (user identification). When the user ID exists,the mediation process part 101 obtains an ID number of the proxy processserver apparatus 300 received from the proxy process server apparatus300, and compares an ID number 216 of the connecting proxy processserver apparatus 300 corresponding to the user ID in the user data part210 of the database 200 with the above-mentioned ID number to determinewhether they are the same (proxy process server checking). When they arethe same, it is determined whether the ID of the proxy process serverapparatus 300 exists in the user system data part 220 (imposture checkfor proxy process server). Further, a process may be performed forchecking whether the user of the user ID has permission to use the proxyprocess server apparatus 300 by using the proxy process server list 215.

If the user ID corresponding to the session information does not exist,or if the received ID number of the proxy process server apparatus 300is not the same as the ID number recorded as a connecting proxy processserver ID, or if the ID of the proxy process server apparatus 300 doesnot exist in the user system data part 220, the mediation process part101 of the database access control apparatus 100 sends an error responseto the proxy process server apparatus 300, and does not perform anyprocess after that.

If the user ID exists, ID numbers of the proxy process server apparatusare the same and the ID of the proxy process server apparatus 300 existsin the user system data part 220, the mediation process part 101 passesremaining argument information included in the HTTP request to theaccess process part 102 for accessing the stored data part 230 of thedatabase 200.

According to the arguments passed from the mediation process part 101,the access process part 102 of the database access control apparatus 100executes a search for the stored data 230 of the database 200. At thistime, in a case where viewing authority information 232 is set for eachuser ID in the stored data 230, the search can be performed only if userauthority information 213 set for the user ID in the user data part ofthe database 200 agrees with viewing availability authority information232 of the stored data 230 (user authority check). A result obtained bysearching by the access process part 102 is passed to the mediationprocess part 101, and the mediation process part 101 sends the result tothe proxy process server apparatus 300 as a HTTP response for the HTTPrequest from the proxy process server apparatus 300 (step 10).

The HTTP request and the response between the proxy process serverapparatus 300 and the database access control apparatus 100 can beperformed plural times corresponding to searches of the stored datanecessary for processes of the proxy process server apparatus 300.

The proxy process server apparatus 300 performs necessary data processes(a process for performing data mining, a process in combination withrelated data stored in a database included in the proxy process serverapparatus itself and the like) on stored data included in the HTTPresponse received from the mediation process part 101 of the databaseaccess control apparatus 100, and sends the result to the user apparatus400 in the form of a HTTP response (step 11).

In the above-mentioned operations, one proxy process server apparatus300 is selected from the list of the proxy process server apparatuses300 received from the database access control apparatus 100 by the userapparatus 400, and the selected result is sent to the database accesscontrol apparatus 100. Then, the mediation process part 101 of thedatabase access control apparatus 100 records the ID number of theselected proxy process server apparatus 300 as the ID number 216 of aconnecting proxy process server apparatus 300 in the user data part 210of the database 200. After that, in order to connect to another proxyprocess server apparatus 300, when the user apparatus 400 performs listdisplay of the proxy process server apparatuses 300 again or performs anoperation for another service provided by the database access controlapparatus 100, the previous ID number (216) of the proxy process serverapparatus 300 stored in the user data part 210 of the database 200 isdeleted or rewritten. In addition, a different value is generated as thesession information each time when login by the user ID is performed.

Therefore, even if the proxy process server apparatus 300 stores a valueof the Cookie from the once connected user apparatus 400 and tries toconnect to the database access control apparatus 100 without receiving arequest from the user apparatus 400, since the mediation process part101 of the database access control apparatus 100 cannot identify a userbased on the session information included in the value of the Cookie, asearch process requested by the proxy process server apparatus 300 isnot performed. Further, when the proxy process server apparatus 300connects to the database access control apparatus 100 by itself withoutreceiving a request from the user apparatus 400, the mediation processpart 101 of the database access control apparatus 100 does not perform asearch process requested by the proxy process server apparatus 300 sincethe ID number of the proxy process server apparatus 300 is not recordedin the user data part 210 of the database 200 as the ID number 216 of aconnecting proxy process server apparatus 300.

In addition, even if the user apparatus tries to connect to a databaseby directly designating a URL other than proxy process serverapparatuses 300 included in the list received from the database accesscontrol apparatus 100 and by using a Cookie generated for another proxyprocess server apparatus, the mediation process part 101 of the databaseaccess control apparatus 100 does not execute a search process requestedby the proxy process server apparatus 300 since the ID of the proxyprocess server is not recorded in the user data part of the databaseaccess control apparatus 100 as a connecting proxy process server 216.Accordingly, the user apparatus 400 can be prevented from using a proxyprocess server apparatus other than the proxy process server apparatuses300 displayed as on the list.

A part or the whole of process functions of the database access controlapparatus 100 shown in FIG. 1 can be formed by a program of a computer,so that the present invention can be realized by executing the programon the computer. Or, the process sequence procedure shown in FIG. 2 canbe formed by a program of a computer, and the program can be executed ona computer. In addition, the program for realizing the process functionsin the computer or the program that causes the computer to execute theprocess procedure can be stored and provided in a computer readablerecording medium, such as, for example, a FD, a MO, a ROM, a memorycard, a CD, a DVD, and a removable disk. In addition, the program can bedistributed via a network such as the Internet.

The present invention is not limited to the specifically disclosedembodiments, and variations and modifications may be made withoutdeparting from the scope of the claims.

1. A database access control method for performing access control on adatabase in response to a request from a user apparatus throughcooperation between a database access control apparatus and a proxyprocess server apparatus, wherein: the database access control apparatussends an address of a usable proxy process server apparatus to the userapparatus in response to the request from the user apparatus; the userapparatus connects to the proxy process server apparatus of the addressto make a database access request; the proxy process server apparatusmakes a database process request to the database access controlapparatus according to the database access request from the userapparatus; the database access control apparatus performs a process onthe database in response to the database process request from the proxyprocess server apparatus, and sends a process result to the proxyprocess sever apparatus; and the proxy process server apparatus performsan additional process on the process result sent from the databaseaccess control apparatus, and sends an additional process result to theuser apparatus.
 2. The database access control method as claimed inclaim 1, wherein, the database access control apparatus generates anaccess key based on a user ID of the user apparatus, stores the accesskey in a storing part of the database access control apparatus and sendsthe access key to the user apparatus; the user apparatus sends theaccess key to the proxy process server apparatus when making thedatabase access request to the proxy process server apparatus; the proxyprocess server apparatus sends the access key to the database accesscontrol apparatus when making the database process request to thedatabase access control apparatus; and the database access controlapparatus determines whether an access key the same as the access keyreceived from the proxy process server apparatus exists in the storingpart, and executes an access to data in the database within a limitpermitted for the user ID corresponding to the access key only if theaccess key exists in the storing part.
 3. The database access controlmethod as claimed in claim 2, wherein, the database access controlapparatus determines whether the user apparatus is in a state of beingconnected to the proxy process server apparatus in addition toperforming determination of the access key, and performs the access tothe data in the database only if the user apparatus is in the state ofbeing connected to the proxy process server apparatus.
 4. A databaseaccess control apparatus for performing access control on a database inresponse to a request from a user apparatus through cooperation with aproxy process server apparatus, comprising: means for instructing theuser apparatus to connect to the proxy process server apparatus bysending an address of a usable proxy process server apparatus to theuser apparatus in response to a request from the user apparatus; andmeans for performing a process on the database in response to a databaseprocess request from the proxy process server apparatus, and sending aprocess result to the proxy process sever apparatus.
 5. The databaseaccess control apparatus as claimed in claim 4, further comprising:means for generating an access key based on a user ID of the userapparatus, storing the access key in a storing part of the databaseaccess control apparatus and sending the access key to the userapparatus when sending the address of the proxy process sever apparatusto the user apparatus; means for receiving the access key and thedatabase process request from the proxy process sever apparatus, anddetermining whether an access key the same as the access key receivedfrom the proxy process server apparatus exists in the storing part; andmeans for executing an access to data in the database within a limitpermitted for the user ID corresponding to the access key only if theaccess key exists in the storing part.
 6. The database access controlapparatus as claimed in claim 5, wherein, the database access controlapparatus determines whether the user apparatus is in a state of beingconnected to the proxy process server apparatus in addition toperforming determination of the access key, and performs the access tothe data in the database only if the user apparatus is in the state ofbeing connected to the proxy process server apparatus.
 7. A proxyprocess server apparatus for accessing a database via a database accesscontrol apparatus in response to a request from a user apparatus,comprising: means for receiving an access key and a database accessrequest from the user apparatus; means for sending a database processrequest and the access key to the database access control apparatus; andmeans for receiving a process result of the database according to thedatabase process request, performing an additional process on theprocess result, and sending an additional process result to the userapparatus.
 8. A program for causing a computer to execute a databaseaccess control process for performing access control on a database inresponse to a request from a user apparatus through cooperation with aproxy process server apparatus, the program causing the computer toexecute: a step for instructing the user apparatus to connect to theproxy process server apparatus by sending an address of a usable proxyprocess server apparatus to the user apparatus in response to a requestfrom the user apparatus; and a step for performing a process on thedatabase in response to a database process request from the proxyprocess server apparatus, and sending a process result to the proxyprocess sever apparatus.
 9. The program as claimed in claim 8, theprogram causing the computer to execute: a step for generating an accesskey based on a user ID of the user apparatus, storing the access key ina storing part of the database access control apparatus and sending theaccess key to the user apparatus when sending the address of the proxyprocess sever apparatus to the user apparatus; a step for receiving theaccess key and the database process request from the proxy process severapparatus, and determining whether an access key the same as the accesskey received from the proxy process server apparatus exists in thestoring part; and a step for executing an access to data in the databasewithin a limit permitted for the user ID corresponding to the access keyonly if the access key exists in the storing part.
 10. The program asclaimed in claim 9, the program causing the computer to execute: a stepfor determining whether the user apparatus is in a state of beingconnected to the proxy process server apparatus in addition toperforming determination of the access key, and performing the access tothe data in the database only if the user apparatus is in the state ofbeing connected to the proxy process server apparatus.
 11. A computerreadable recording medium recording the program as claimed in any one ofclaims 8-10.
 12. A program for causing a computer to perform a proxyprocess for accessing a database via a database access control apparatusin response to a request from a user apparatus, the program causing thecomputer to execute: a step for receiving an access key and a databaseaccess request from the user apparatus; a step for sending a databaseprocess request and the access key to the database access controlapparatus; and a step for receiving a process result of the databaseaccording to the database process request, performing an additionalprocess on the process result, and sending an additional process resultto the user apparatus.
 13. A computer readable recording mediumrecording the program as claimed in claim 12.